search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #56 from wuruilong01/master
[prads.git] / src / output-plugins / log_sguil.c
blob8cb372cfab114b55999b352aeae3e817f82d7cbb
1 /* author: Kacper Wysocki <kwy@redpill-linpro.com> */
2
3 #include "../prads.h"
4 #include "../cxt.h"
5 #include "../sys_func.h"
6 #include "log.h"
7 #include "log_sguil.h"
8 output_plugin p_sguil = {
9 .init = &init_output_sguil,
10 .arp = NULL,
11 .os = NULL,
12 .service = NULL,
13 .connection = &sguil_connection,
14 .denit = &sguil_end,
15 .rotate = &sguil_rotate,
16 .data = NULL,
17 };
18
19 output_plugin *init_log_sguil(){
20 return &p_sguil;
21 }
22
23 int init_output_sguil(output_plugin *p, const char* log_prefix, int check_time)
24 {
25 FILE *cxtfile;
26 static char filename[PATH_MAX];
27 struct log_sguil *sguil_data;
28 if (!log_prefix){
29 elog("sguil plugin on but no output directory!");
30 return 1;
31 }
32 if(!check_time)
33 check_time = (int) time(NULL);
34 snprintf(filename, PATH_MAX, "%s.%d", log_prefix, check_time);
35 cxtfile = fopen(filename, "w");
36 if (cxtfile == NULL) {
37 elog("[*] ERROR: Cant open file %s\n", filename);
38 return 2;
39 }
40 dlog("Opened file: %s\n", filename);
41 sguil_data = calloc(1, sizeof(*sguil_data));
42 sguil_data->prefix = log_prefix;
43 sguil_data->filename = filename;
44 sguil_data->file = cxtfile;
45 p->data = sguil_data;
46
47 return 0;
48 }
49
50 int sguil_end(output_plugin *p)
51 {
52 struct log_sguil *d = (struct log_sguil*) p->data;
53 fclose(d->file);
54 free(p->data);
55 p->data = NULL;
56 }
57
58 /* reopen logfiles */
59 void sguil_rotate(output_plugin *plugin, time_t check_time)
60 {
61 struct log_sguil *d = (struct log_sguil*) plugin->data;
62 const char* prefix = d->prefix;
63 /* end_(all)_sessions - make a new logfile
64 * check_time is some time(NULL) */
65 sguil_end(plugin);
66 init_output_sguil(plugin, prefix, check_time);
67 }
68
69
70 void sguil_connection (output_plugin *plugin, connection *cxt, int outputmode)
71 {
72
73 /* log_connection */
74 char stime[80], ltime[80];
75 time_t tot_time;
76 uint32_t s_ip_t, d_ip_t;
77 static char src_s[INET6_ADDRSTRLEN];
78 static char dst_s[INET6_ADDRSTRLEN];
79
80 switch(outputmode){
81 case CX_NEW:
82 case CX_HUMAN:
83 case CX_EXCESSIVE:
84 return;
85 }
86 struct log_sguil *d = (struct log_sguil*) plugin->data;
87 FILE *fd = d->file;
88 strftime(stime, 80, "%F %H:%M:%S", gmtime(&cxt->start_time));
89 strftime(ltime, 80, "%F %H:%M:%S", gmtime(&cxt->last_pkt_time));
90 tot_time = cxt->last_pkt_time - cxt->start_time;
91
92 if ( cxt->af == AF_INET ) {
93 s_ip_t = ntohl(cxt->s_ip.s6_addr32[0]);
94 d_ip_t = ntohl(cxt->d_ip.s6_addr32[0]);
95 }
96
97 fprintf(fd, "%ld%09ju|%s|%s|%ld|%hhu|",
98 cxt->start_time, cxt->cxid, stime, ltime, tot_time,
99 cxt->proto);
100 if(cxt->af == AF_INET6) {
101 if(!inet_ntop(cxt->af, (cxt->af == AF_INET6? (void*) &cxt->s_ip : (void*) cxt->s_ip.s6_addr32), src_s, INET6_ADDRSTRLEN))
102 perror("inet_ntop");
103 if(!inet_ntop(cxt->af, (cxt->af == AF_INET6? (void*) &cxt->d_ip : (void*) cxt->d_ip.s6_addr32), dst_s, INET6_ADDRSTRLEN))
104 perror("inet_ntop");
105 fprintf(fd, "%s|%u|%s|%u|",
106 src_s, ntohs(cxt->s_port),
107 dst_s, ntohs(cxt->d_port));
108 } else {
109 fprintf(fd, "%u|%u|%u|%u|",
110 s_ip_t, ntohs(cxt->s_port),
111 d_ip_t, ntohs(cxt->d_port));
112 }
113 fprintf(fd, "%ju|%ju|",
114 cxt->s_total_pkts, cxt->s_total_bytes);
115 fprintf(fd, "%ju|%ju|%u|%u",
116 cxt->d_total_pkts, cxt->d_total_bytes,
117 cxt->s_tcpFlags, cxt->d_tcpFlags);
118 fprintf(fd, "\n");
119 }
PRADS is a Passive Real-time Asset Detection System. It passively listen to network traffic and gathers information on hosts and services it sees on the network.